Description

The Realteo WordPress plugin before 1.2.4, used by the Findeo Theme, did not ensure that the requested property to be deleted belong to the user making the request, allowing any authenticated users to delete arbitrary properties by tampering with the property_id parameter.

Related CPE's

a

purethemes

findeo

*

*

*

*

*

wordpress

Vulnerable

a

purethemes

realteo

*

*

*

*

*

wordpress

Vulnerable

References

https://m0ze.ru/vulnerability/%5B2021-03-20%5D-%5BWordPress%5D-%5BCWE-284%5D-Findeo-WordPress-Theme-v1.3.0.txt

https://m0ze.ru/vulnerability/%5B2021-03-20%5D-%5BWordPress%5D-%5BCWE-284%5D-Realteo-WordPress-Plugin-v1.2.3.txt

https://wpscan.com/vulnerability/b8434eb2-f522-484f-9227-5f581e7f48a5

ExploitThird Party Advisory

https://www.docs.purethemes.net/findeo/knowledge-base/changelog-findeo/

Release NotesVendor Advisory

https://m0ze.ru/vulnerability/%5B2021-03-20%5D-%5BWordPress%5D-%5BCWE-284%5D-Findeo-WordPress-Theme-v1.3.0.txt

https://m0ze.ru/vulnerability/%5B2021-03-20%5D-%5BWordPress%5D-%5BCWE-284%5D-Realteo-WordPress-Plugin-v1.2.3.txt

https://wpscan.com/vulnerability/b8434eb2-f522-484f-9227-5f581e7f48a5

ExploitThird Party Advisory

https://www.docs.purethemes.net/findeo/knowledge-base/changelog-findeo/

Release NotesVendor Advisory

Weaknesses

[email protected]

Secondary
CWE-284

[email protected]

Primary
CWE-425

CVSS impact metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

6.5 · Medium

Information

Source identifier

[email protected]

Vulnerability status

Modified

Published

2021-04-22T19:15:09.797Z

4 years ago

Last modified

2024-11-21T04:52:39.760Z

1 year ago